chainkindle.com

Hashicorp Vaults Secrets Usage

General May 28, 2019

vault secret lifecycle

There are multiple operations that can be associated with the lifecycle in Vaults

  • Create : it creates a secret
  • Read : it reads the value from a secret in vault
  • Update: it updates a secret
  • Delete: it deletes a secret but it is recoverable through an undelete i.e. a soft delete
  • Destroy: it destroys a secret i.e. is a hard delete it is unrecoverable, permanently deleted
  • Metadata Destroy: destroys the metadata associated with the deleted secret

Versioning

version 1 and Version 2 exist in vault

Version 1 properties

  • No versioning exist
  • It is faster than the version 2 with fewer calls on the storage
  • Deleted items are permanently deleted, undelete not possible
  • It can be upgraded to version 2
  • It is also default version created on creation of a new key/value secret

Version 2 properties

  • Versioning of past secrets possible
  • Less faster than version 1
  • Undelete possible and possibility to retain metadata of deleted items
  • It cannot be downgraded to version 1
  • It should be specified on creation of the key/value secret as version 2

Most times we will be assessing vault through the api, especially if its a programmable interface.

the sytnax to access vault through the api is

note

  $VAULT_TOKEN is the token generated passed as an environment variable
  $secretname is the name of the secret
  $VAULT_ADDR is the vault address. e.g. localhost would be 127.0.0.1

create a secret

vault kv put test-env/john age=23 month=october
#via API
curl --header X-Vault-Token: $VAULT_TOKEN"  --request POST $VAULT_ADDR/v1/secret/$secretname --data '{"key":"value"}'

read a secret

vault kv get test-env/john
#via API
curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/data/$secretname?version=1    #gets version 1 of the secret
curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/data/$secretname?version=2    #gets version 2 of the secret

delete a secret

vault kv delete test-env/john
#via API
curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE $VAULT_ADDR/v1/secret/data/$secretname

undelete a secret

curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST $VAULT_ADDR/v1/secret/undelete/$secretname --data '{"versions": [2]}' #restores deleted version 2 of the secret

destroy a secret

curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST $VAULT_ADDR/v1/secret/destroy/$secretname --data '{"versions": [1,2]}'  #destroys version 1 and 2 of the secret

delete metadata associated with the secret

curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE $VAULT_ADDR/v1/secret/metadata/$secretname

John Adebayo

Recommended for you

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
#